CloudWatch Events
(CWE) is a general event bus for AWS infrastructure. Currently, it covers
several major sources of information:

CloudTrail API calls over a poll period on CloudTrail delivery,

real-time instance status events,

autoscale group notifications, and

scheduled/periodic events.

CloudTrail provides a very rich data source over the entire range of AWS
services exposed via the audit trail that allows Custodian to define effective
realtime policies against any AWS product. Additionally, for EC2 instances we
can provide mandatory policy compliance - this means the non-compliant
resources never became available.

Custodian provides for policy level execution against any CWE event stream.
Each Custodian policy can be deployed as an independent Lambda function. The
only difference between a Custodian policy that runs in Lambda and one that
runs directly from the CLI in poll mode is the specification of the
subscription of the events in the mode config block of the policy.

Internally Custodian will reconstitute current state for all the resources
in the event, execute the policy against them, match against the
policy filters, and apply the policy actions to matching resources.

When using –assume on the custodian run cli command, the specified
role is also considered as the execution role to be attached to lambda
function that gets deployed. In such scenario it is not required to
specify the role attribute in the config block for mode. However, if
you are not using the –assume option, then it is required to add role
in the config-block of mode. When specifying role {account_id} is runtime
substituted so a policy can be used across accounts.

AWS Config rules
allow you to invoke logic in response to configuration changes in your AWS
environment, and Cloud Custodian is the easiest way to write and provision
Config rules. Delay here is typically 1-15m (though the SLA on tag-only changes
is a bit higher).

In this section we’ll look at how we would deploy the quickstart example using Config. Before you proceed, make sure you’ve
removed the Custodian tag from any EC2 instance left over from the
quickstart.

First, modify custodian.yml to specify a mode type of config-rule.
You’ll also need the ARN of an IAM role to assume when running the Lambda that
Custodian is going to install for you. Sensible policies to add to that role would be
AWSLambdaBasicExecutionRole and AWSConfigRulesExecutionRole, on top of any permissions
your lambda is going to need to perform the actions you want it to perform.

Go check the AWS console to see the Lambda as well as the Config rule that
Custodian created. The Config rule should be listed as “Compliant” or “No
results reported” (if not, be sure you removed the Custodian tag from any
instance left over from the quickstart).

Now for the fun part! With your new policy installed, go ahead and create an
EC2 instance with a Custodian tag (any non-empty value), and wait (events
from Config are effectively delayed 15m up to 6hrs on tag changes). If all goes
well, you should eventually see that your new custom Config rule notices the
EC2 instance with the Custodian tag, and stops it according to your policy.

Congratulations! You have now installed your policy to run under Config rather
than from your command line.

Custodian lambdas support configuring all lambda options via keys on the lambda
mode in the YAML. See AWS’
AWS Lambda Function Configuration
page for the full list of configuration options avaible on a Lambda.

Refer to AWS Modes for detailed explanation of the different type
values and the corresponding additional configuration options each requires.

Here is an example YAML fragment that shows the options you are most likely to want or need to configure on a
lambda:

mode:type:cloudtrailevents:-CreateBucket##### ROLE ###### Specify the ARN role as either name or full ARN. This shows# us running the lambda with the IAM role named Custodian.# Specifying role by name:role:Custodian# Or specifying using a full ARN# role: arn:aws:iam::123456789012:role/Custodian##### TAGS ###### Specify the tags to assign to this Lambda. We are setting a# tag named "Application" with a value of "Custodian", and a# "CreatedBy" tag with a value of "CloudCustodian".tags:Application:CustodianCreatedBy:CloudCustodian